[30914] in Kerberos

home help back first fref pref prev next nref lref last post

RE: SASL authentication

daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Tue Mar 24 05:22:55 2009

From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: =?iso-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>,
   "kerberos@mit.edu" <kerberos@mit.edu>
Date: Tue, 24 Mar 2009 17:21:44 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1729058B3A83@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <v34l96-gkf.ln1@nb2.stroeder.com>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

> -----Original Message-----
> From: kerberos-bounces@mit.edu 
> [mailto:kerberos-bounces@mit.edu] On Behalf Of Michael Str?der
> Sent: Tuesday, March 24, 2009 3:22 AM
> To: kerberos@mit.edu
> Subject: Re: SASL authentication
> 
> Use nslookup.exe on host name and IP address. They must match.

Thanks, Michael! Using nslookup in the client Linux box, I found it is the reason why there is no outward LDAP traffic. The LDAP server (AD in Windows 2003 Server), as I said, is the primary domain controller of its own. It is also the DNS server in its own domain. I didn't recognize that this DNS server is not in the nameserver list of the client machine. No wonder it can not resolve the name. Now it is added into the file "/etc/resolv.conf":
==========================================================
search sgp.fujixerox.com sesswin2003.com /* sesswin2003.com is the domain name of the AD server */
nameserver 13.198.8.83
nameserver 13.198.96.10
nameserver 13.198.98.35 /* This is the IP Address of the domain controller with its FQDN as sesswin2003.sesswin2003.com */
==========================================================
But strangely, with this file modified, "nslookup sesswin2003" still fails. To my surprise, even in the AD itself, this command fails. So I suspect DNS in the AD is not running properly. Could you tell me where to look at in the AD to fix the DNS issue?
 
> > [libdefaults]
> >  default_realm = durian.fujixerox.com
> > [..]
> > In this configuration file, "durian" is the hostname of the client 
> > machine. Is there anything wrong with it?
> 
> I'm confused. Why do you put in durian.fujixerox.com here.
> 
> default_realm MUST point to a Kerberos realm. In a MS AD 
> environment this is simply the upper-case DNS domain name of 
> the AD domain.

durian is the hostname of the client Linux box. fujixerox.com is the domain name in which the client lies.
Yes, I also feel this is strange setting. durian.fujixerox.com is FQDN of the client, not a domain name.

But since it has nothing to do with the LDAP traffic, I don't want to change it now.
 
> > [realms]
> >  SESSWIN2003.COM = {
> >   kdc = 13.198.98.35:88
>           ^^^^^^^^^^^^
> Is that the IP address of your AD domain controller? Is 
> SESSWIN2003.COM your AD domain?

Yes, this is the IP address of the AD domain controller. And Yes again, SESSWIN2003.COM is my AD domain.
 
> >  durian.fujixerox.com = {
> >   kdc = kerberos.durian.fujixerox.com:88
> >   admin_server = kerberos.durian.fujixerox.com:749  }
> 
> Likely you should remove that.
> 
> You should try to find a working setup with AD using your 
> favourite search engine. Please read a little bit more what 
> the different parameters really mean.

Thanks a lot,
Xu Qiang

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post